Configuring pxGrid in an ISE Distributed Environment
advertisement
Configuring pxGrid in an ISE Distributed
Environment
SECURE ACCESS HOW-TO GUIDES
Table of Contents
About this Document ...................................................................................................................................................... 4
Introduction ..................................................................................................................................................................... 5
ISE Distributed Deployment with pxGrid persona Introduction .................................................................................. 6
pxGrid persona Configuration ....................................................................................................................................... 8
Configuring Microsoft CA 2008 R2 Enterprise pxGrid Template .......................................................... 8
pxGrid Node Configuration without pxGrid Active-Standby................................................................ 10
CA-Signed Node Certificate Generation ............................................................................................ 10
Exporting pxGrid node public/private key in Primary PAN & MnT node ............................................. 14
Bulk Session Downloads ................................................................................................................... 17
Registering ISE Nodes for Distributed Environment ................................................................................................. 18
pxGrid Client Management ........................................................................................................................................... 20
pxGrid Client Configuration ......................................................................................................................................... 22
pxGrid Java sdk Installation ..................................................................................................................... 22
Introduction to pxGrid client SDK Java Keystores .................................................................................... 23
pxGrid client certificate configuration ....................................................................................................... 24
pxGrid client Active-Standby Examples ............................................................................................. 30
Testing pxGrid client in ISE Distributed Environment ............................................................................................... 36
Viewing Keystore Entries ......................................................................................................................... 37
ISE Distributed Deployment with pxGrid Active-Standby Introduction.................................................................... 45
Registering ISE nodes for Distributed Environment pxGrid Active-Standby .......................................................... 46
Testing pxGrid client in ISE Distributed Environment pxGrid Active-Standby ....................................................... 50
Testing pxGrid Active-Standby ................................................................................................................. 51
Basic Operation ................................................................................................................................. 51
Testing FailOver ....................................................................................................................................... 54
Returning Back to Primary ....................................................................................................................... 56
ISE Self-Signed Identity Certificates ........................................................................................................................... 60
Sample Certificates from SDK ..................................................................................................................................... 64
Testing pxGrid Client ................................................................................................................................ 65
References ..................................................................................................................................................................... 67
Appendices .................................................................................................................................................................... 68
Alternative way of generating pxGrid node Certificate Signing Request (CSR) ....................................... 68
Troubleshooting ....................................................................................................................................... 70
Removing Java and Installing JDK 8.0 on Centos 6.5 ............................................................................. 70
Cisco Systems © 2015
Page 2
SECURE ACCESS HOW-TO GUIDES
Delete Old version of Java ................................................................................................................. 70
Install JDK 8.0.................................................................................................................................... 71
Cisco Systems © 2015
Page 3
SECURE ACCESS HOW-TO GUIDES
About this Document
This document is intended for Cisco engineers, partners, and customers deploying pxGrid in a production Cisco
Identity Services (ISE) 1.3 environment. The reader should familiar with ISE and pxGrid.
This document focuses on deploying external CA Signed Certificates for the ISE pxGrid node and pxGrid clients.
Other certificate deployment considerations such as: self-signed ISE Identity certificates and pxGrid sample
certificates are discussed in detail in the series of following documents: Deploying Certificates with Cisco pxGrid
Certificate Authority (CA)-signed pxGrid ISE node and CA-signed pxGrid client
Certificate Authority (CA)-signed pxGrid client and self-self signed ISE pxGrid node certificate
Self-signed certificates with ISE pxGrid node and pxGrid client
For Configuring pxGrid in a test environment, please see reference:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-84Configure_and_Test_Integration_with_Cisco_pxGrid.pdf
This document will cover an external ISE pxGrid node configuration and pxGrid Active-Standby configuration in a
distributed ISE environment. The pxGrid client for testing these configurations is a MacBook Pro running OSX 10.8.5
and Oracle Java Development Kit(jdk-8u-20-macros-x64.dmg) for the pxGrid java SDK. If you are running other
versions of Linux, please see http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-84Configure_and_Test_Integration_with_Cisco_pxGrid.pdf
This document also touches on configuring the pxGrid ISE node with self-signed certificates and sample certificates
used in POC deployments. However for detailed information, please refer to the associated documents.
A Microsoft Enterprise 2008 CA R2 Enterprise server was used for the Certificate Authority (CA) and signed both the
pxGrid client certificate, pxGrid node certificates and ISE node certificates.
Cisco Systems © 2015
Page 4
SECURE ACCESS HOW-TO GUIDES
Introduction
Cisco Platform Exchange Grid (pxGrid) enables multivendor, cross platform network system collaboration among
parts of the IT infrastructure such as security monitoring and network detection systems, network platforms, asset and
configuration management, identity and access management platforms and virtually any other IT operations platform.
When business or operations needs arise, ecosystem partners can use pxGrid to exchange contextual information via a
publish/subscribe method with Cisco platforms that use pxGrid as well as any other ecosystem that uses pxGrid.
There are essentially three components to pxGrid: the publisher, pxGrid client, and the pxGrid controller, Cisco
Identity Service Engine (ISE) pxGrid node.
pxGrid publisher of topics of information, the pxGrid client will subscribe to- In Cisco Identity Services
Engine (ISE) version 1.3, ISE is the sole publisher of this information or capabilities as they called as well.
pxGrid client- can be a supported Cisco Security platform, pxGrid ecosystem partner, or a Linux or MAC host
running the pxGrid SDK, that subscribes to the published information.
pxGrid controller – Cisco Identity Services Engine (ISE) pxGrid node, that controls the client
registration/management and topic/subscription processes.
ISE will publish these information topics:
SessionDirectory- session attributes from authenticated 802.1X sessions
EndpointProtectionService- Adaptive Network Control (ANC) quarantine/unquarantine mitigation actions
TrustsecMetadataCapability- Security Group Tag (SGT) Information
EndpointProfileMetadata- ISE policy information
IdentityGroup- group and profiling information
The pxGrid client will subscribe to these topics and obtain the ISE contextual information.
ISE is deployed in a distributed environment, where all the nodes have separate personas: Primary PAN (Policy Admin
node), Primary MnT (Monitoring) node, PSN (Policy Service Node). The pxGrid node will also be deployed as a
separate persona and will require a customized pxGrid template in a CA (Certificate Authority) signed environment.
This document covers the procedural steps in configuring pxGrid in this ISE distributed environment using CA signed
certificates for both the ISE pxGrid node and the ISE pxGrid client.
This document also covers a pxGrid Active-Standby configuration.
A MAC running OSX 10.8.5 will serve as the pxGrid client in this document.
A Microsoft Enterprise CA (Certificate Authority) 2008 R2 Server, will be the designated CA server. Please note that a
customized template for pxGrid will have an Enhanced KeyUsage (EKU) of both client and server authentication. The
EKU defines the purpose of the certificate, and is defined by the ISO-defined object identifiers (OIDs), in this use case
one for client authentication (1.3.6.1.5.5.7.3.2) and another one for server authentication (1.3.6.1.5.5.7.3.1).
Cisco Systems © 2015
Page 5
SECURE ACCESS HOW-TO GUIDES
ISE Distributed Deployment with pxGrid persona
Introduction
The Windows 2008 R2 Enterprise CA Server was used as the CA Authority. The CA root certificate was imported into
the trusted system certificates store of each of the ISE nodes. The CSR node requests were serviced by the CA using
the web server template and admin “usage” certs defined in the ISE nodes, except for the pxGrid nodes.
The pxGrid nodes use a custom template, containing EKU’s for both client and server authentication.
Note: The pxGrid template can be a duplicate of the user template using Windows 2003 format, and a duplicate of the user template with EKUs for
both client authentication and server authentication added.
The public/private key pair from the pxGrid node must be copied to the system certificate store for each of the Primary
PAN (admin) and Primary MnT (monitoring) modes for successful pxGrid operation.
Note: In the case of an Active-Standby pxGrid configuration, the public/private key pair of the first pxGrid node (primary pxGrid node) will be
exported into the Primary PAN and Primary MnT nodes. The public/private key pair of the second pxGrid node (secondary pxGrid node) will be
exported into the secondary PAN or secondary MnT nodes.
The below diagram represents a typical ISE distributed environment with regards to certificate generation for the
various ISE nodes. Note the admin “usage” certificate for CSR request generation for all ISE nodes except for the
pxGrid node. The CA server will service these requests using the “web server” template. The pxGrid “usage”
certificate for the pxGrid node(s) CSR request is serviced by the custom pxGrid template.
Cisco Systems © 2015
Page 6
SECURE ACCESS HOW-TO GUIDES
The below diagram represents the pxGrid node configuration in a Distributed ISE environment. The pxGrid node is
external in all productional environments.
The public/private key from the pxGrid node is copied into the system certificate stores of both the Primary PAN and
Primary MnT before enabling the pxGrid controller..
Cisco Systems © 2015
Page 7
SECURE ACCESS HOW-TO GUIDES
pxGrid persona Configuration
Configuring Microsoft CA 2008 R2 Enterprise pxGrid Template
This section covers the pxGrid certificate template configuration. The pxGrid template must contain both EKU’s for
client authentication and server authentication.
The pxGrid template is created in the following steps:
Step 1
Select->Administrative Tools->Certificate Authority-> “+” dropdown next to CA server->Right-Click on
Certificate Templates->Manage
Step 2
Right-Click and Duplicate User template->Select->Windows 2003 Enterprise->OK
Note: Select Windows Server 2003 Enterprise so it will appear in the template CA window drop-down
Cisco Systems © 2015
Page 8
SECURE ACCESS HOW-TO GUIDES
Step 3
Enter name of certificate template, uncheck “Publish certificate in Active Directory”, provide validity
period and renewal period.
Step 4
Click on Extensions->Add->Server Authentication->OK->Apply
Cisco Systems © 2015
Page 9
SECURE ACCESS HOW-TO GUIDES
pxGrid Node Configuration without pxGrid Active-Standby
This section illustrates the steps of defining the ISE nodes, generating CSR requests and obtaining certificates from the
CA authority. The process is typical of any ISE distributed deployment. This occurs in stand-alone before joining the
nodes from the Primary Admin node.
The pxGrid node will use the ISE pxGrid usage certificates for the initial CSR requests and serviced by the MS CA
“pxGrid” template as defined earlier. The returned certificate will be bound to the initial pxGrid CSR request.
The public/private key pair will be exported from the pxGrid node and imported into the Primary PAN and Primary
MnT nodes.
Note: In a pxGrid Active-Standby configuration, the public/private key pair from the second or secondary pxGrid node will be imported into the
Secondary PAN and Secondary MnT nodes.
The Microsoft CA root certificate will be downloaded and imported into the trusted system certificates store in each
ISE node and enabled for “Trust for Authentication within ISE”.
CA-Signed Node Certificate Generation
The following steps outline the procedure for downloading the CA root certificate, generating ISE node CSR requests,
and binding certificates to CSR requests.
Note: The CA Root certificate and other serviced certificate requests should be download in base 64 format
Step 1
Download CA root in base 64 format.
Step 2
Import into the Trusted Certificates Store
Cisco Systems © 2015
Page 10
SECURE ACCESS HOW-TO GUIDES
Administration->System->Certificates->Trusted Certificates
Step 3
Generate CSR for the desired Admin, MnT, nodes, in stand-alone environment.
Administration-System->Certificates->Certificate Signing Requests-“admin” certificate usage
Step 4
Use the MS CA “Web Server” template to service the certificate requests for the Admin, MnT, PSN nodes.
Cisco Systems © 2015
Page 11
SECURE ACCESS HOW-TO GUIDES
Step 5
Download in base 64 encoded format
Step 6
Bind the certificate to the CSR requests for each ISE node, individually. (i.e. admin, MnT, PSN)
Administration-System->Certificates->Certificate Signing Requests->Select certificate and Bind
Step 7
Import the node certificate for each ISE node, individually, then submit
Cisco Systems © 2015
Page 12
SECURE ACCESS HOW-TO GUIDES
Step 8
Generate CSR for the pxGrid node.
Administration->System->Certificates->Certificate Signing Requests-“pxGrid” certificate usage
Step 9
Submit request MS CA “pxGrid” template to service certificate request for the pxGrid node.
Cisco Systems © 2015
Page 13
SECURE ACCESS HOW-TO GUIDES
Step 10
Bind the pxGrid certificate to the pxGrid node CSR request.
Administration-System->Certificates->Certificate Signing Requests->Select pxGrid node & bind certificate
Exporting pxGrid node public/private key in Primary PAN & MnT node
There is an alternative way for exporting the primary pxGrid node public/private key pair into the Primary PAN and
Primary MnT node for pxGrid operation, please see: Alternative way of generating pxGrid node CSR (Certificate
Signing Request) in the Appendices.
Cisco Systems © 2015
Page 14
SECURE ACCESS HOW-TO GUIDES
The public/private key pair of the pxGrid client node must be copied into the Primary PAN and MnT node. The steps
are described below:
Step 1
Export the public and private keys from the pxGrid node’s system certificate store and import to the system
store for the desired Primary Admin and MnT nodes in Stand-alone mode new installation.
Note: If you have an existing ISE 1.3 deployment and adding external pxGrid persona, you can export the pubic/private key pairs for the pxGrid
node from the Primary PAN’s system certificates store and import into the Primary PAN and Primary MnT
Administration->System->Certificates->System Certificates, select the certificate and export the certificate
and private key
You will have to provide a name for the private key (i.e. cisco123). This will be saved as a zipped file
containing both the PEM and PVK (public/private key pair).
Step 2
For the desired Primary Admin node, import both public and private key into the System Certificate store,
then submit.
Administration->System->Certificates->System Certificates and import both the pxGrid PEM
and PVK certificates.
Cisco Systems © 2015
Page 15
SECURE ACCESS HOW-TO GUIDES
Step 3
For the desired Primary MnT node, import both public and private key into the System Certificate store,
then submit.
Administration->System->Certificates->System Certificates and import both the pxGrid PEM
and PVK certificates.
Step 4
You will see the pxGrid public/private key in the system certificates store of the Primary PAN and Primary
MnT nodes.
Cisco Systems © 2015
Page 16
SECURE ACCESS HOW-TO GUIDES
Bulk Session Downloads
Bulk Session downloads provide active session download queries from the ISE MnT node, using the pxGrid
session_download script. This provides available session attributes from authenticated 802.1X authenticated sessions
with regards to available ISE contextual information. The public key (PEM) from the MnT node is copied to the
pxGrid client, converted to DER, and imported into the truststoreFilename keystore. This will be covered later, but for
now export the MnT node certificate as indicated below.
Note: In a pxGrid Active Standby Configuration, both the Primary MnT node and the Secondary MnT node certificates need to be imported into the
pxGrid client. If either of these certificates does not exist, there will be problem when registering clients, and non-connectivity to pxGrid nodes.
Step 1
Export the public certificate key only from the desired MnT node. This will be used by the pxGrid client
for bulk session downloads
Administration->Certificates->Certificate Management->System Certificates and select the MnT identity
cert and export the public certificate
Cisco Systems © 2015
Page 17
SECURE ACCESS HOW-TO GUIDES
Registering ISE Nodes for Distributed Environment
The desired stand-alone ISE nodes for Primary PAN, Primary MnT, PSN, and pxGrid are registered through the
Primary Admin (PAN) node.
These steps are defined below:
Step 1
Set the desired Admin node to initially include Primary Admin and Primary MnT personas.
Step 2
Register the desired MnT node which will become the primary MnT.
Note: The Primary PAN will automatically become the secondary MnT persona. Disable the secondary MnT persona.
Step 3
Register the PSN node
Cisco Systems © 2015
Page 18
SECURE ACCESS HOW-TO GUIDES
Step 4
Register the pxGrid node
Step 5
Ensure that the pxGrid services started and you have the ISE published capabilities
Administration->pxGrid Services and also enable Auto Registration
Cisco Systems © 2015
Page 19
SECURE ACCESS HOW-TO GUIDES
pxGrid Client Management
The pxGrid Service menu provides: client management: client registration/deletion, authorization of client “pending”
requests when Auto-Registration is disabled. This menu also provides a log history view of the client registered
capabilities or information topics.
Enable Auto-Registration – enables auto registration, pxGrid clients will automatically register after the initial
pxGrid client authentication has completed.
Disable Auto-Registration – disables auto registration, pxGrid clients will remain in a “pending” state until the
administrator moves them into the appropriate “session” or “EPS” group.
Client Groups- client groups will register primarily to the “session” group for pxGrid operation.
Administrator- reserved for ISE
Session- access to session attribute information
EPS- superset of “session” group, used for ANC “Adaptive Network Control” mitigations
Live Log- displays history of client registration and topic subscriptions
Cisco Systems © 2015
Page 20
SECURE ACCESS HOW-TO GUIDES
Cisco Systems © 2015
Page 21
SECURE ACCESS HOW-TO GUIDES
pxGrid Client Configuration
In this section, we cover the pxGrid java SDK installation for pxGrid sample script testing. Register.sh will be run to
connect and establish connection with the pxGrid controller. Session_download.sh will be run to download active
session records from ISE. These scripts are used for basic testing to ensure that the connection and communication
between the pxGrid client and ISE are working. If you have a desire to test all the shell scripts including Adaptive
Network Control (ANC) mitigation actions, formerly known as Endpoint Protection Service (EPS). Please see:
(http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-84Configure_and_Test_Integration_with_Cisco_pxGrid.pdf)
pxGrid Java sdk Installation
Please see your Cisco Account team for obtaining the pxGrid java SDK libraries
Download the Oracle Java Development Kit for your Linux operating system:
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
In order to install the Oracle Java Development Kit, you must uninstall the older version of Java that exists on your
system.
Note: If you are using a MAC for testing, please see: https://www.java.com/en/download/help/mac_uninstall_java.xml for uninstalling Java
If you are using Centos 6.5, please refer to the Appendices Removing Java and Installing JDK 8.0 on Centos 6.5
Untar the folder. tar -zxf pxgrid-sdk-x.x.x-dist.tar.gz
You will see the following:
Lib- contains all the GCL Libraries
Samples- contains bin, certs, conf, lib and src directories
Bin- contains all the sample scripts
Certs- contains all the sample pxGrid identity and rootSample certificates
Src- contains all the java source files
In order to run the pxGrid sample scripts, include the path of jre in the “JAVA_HOME=” environment variable.
An example for the MAC is provided below.
To view the location of the jre path, run the following:
Note: you will need root privileges when running sudo
sudo find / -name java
Password:
/Applications/pxGridsdk/pxgrid-sdk-1.0.0/samples/src/java
find: /dev/fd/3: Not a directory
find: /dev/fd/4: Not a directory
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java
/Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/bin/java
/Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/jre/bin/java
Cisco Systems © 2015
Page 22
SECURE ACCESS HOW-TO GUIDES
Add the path “/Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/jre” to JAVA_HOME
export JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/jre
With different versions of Linux, such as Centos 64, make sure “keytool” is included in the path
Append the “../jdk1.7._51/bin” to PATH
export
PATH=/usr/lib64/qt3.3/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/jeppich/bin:/usr
/java/jdk1.7.0_51/bin
Introduction to pxGrid client SDK Java Keystores
Java keystores contain the public/private key pairs of certificates, such as the CA root certificates, host identity or
pxGrid client certificate, self-signed certificate. The java keystore itself is a PKCS #12 format (.JKS).
The certificates themselves are either in a PEM or CER format, and converted over to DER and imported into the java
keystore.
In this document, we will use CA signed pxGrid client certificates and CA signed ISE certificates.
For pxGrid, there is the keystoreFilename that contains the pxGrid client identity certificate and truststoreFilename
keystore that represents the CA root certificates, and the MnT node certificates.
In addition these keystore values contains associated passwords, keystorePassword and truststorePassword when
importing the certificates into the keystore.
The keystoreFilename, keystorePassword, truststoreFilename, truststorePassword, are using in the pxGrid SDK scripts
for SASL authentication and connection to the pxGrid persona.
In the illustrated example below, the pxGrid client registers and connects to the pxGrid controller.
./register.sh -keystoreFilename pxGridClient.jks -keystoreFilename cisco123 -truststoreFilename root3.jks truststorePassword cisco123 -group Session -description test -username macbook-pro -hostname 10.0.0.48
------- properties ------version=1.0.0
hostnames=10.0.0.48
username=macbook-pro
descriptipon=test
keystoreFilename=pxGridClient.jks
keystorePassword=cisco123
truststoreFilename=root3.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
account enabled
connected.
done registering.
connection closed
Cisco Systems © 2015
Page 23
SECURE ACCESS HOW-TO GUIDES
In the illustrated example below, the pxGrid client downloads active session records from the MnT node
./session_download.sh -keystoreFilename pxGridClient.jks -keystoreFilename cisco123 -truststoreFilename
root3.jks -truststorePassword cisco123 -username macbook-pro -hostname 10.0.0.48
------- properties ------version=1.0.0
hostnames=10.0.0.48
username=MacBook-Pro
keystoreFilename=pxGridClient.jks
keystorePassword=cisco123
truststoreFilename=root3.jks
truststorePassword=cisco123
filter=null
start=null
end=null
-------------------------connecting...
connected.
starting at Wed Dec 10 18:44:49 EST 2014...
session (ip=10.0.0.18, Audit Session Id=0A0000020000000B006E1086, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:D1:8D:90, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint
Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-SessionId=00000002], Posture Status=null, Posture Timestamp=, Session Last Update Time=Wed Dec 10 16:41:48 EST 2014
)... ending at: Wed Dec 10 18:44:49 EST 2014
--------------------------------------------------downloaded 1 sessions in 26 milliseconds
--------------------------------------------------connection closed
pxGrid client certificate configuration
The following procedure represents the steps for generating keys for the pxGrid client, creating the CSR request,
importing certificates converting them to DER adding to the keystores.
Note: The pxGrid client configuration is for having a CA-signed pxGrid client and CA-signed pxGrid node certificate. Please see references for other
certificate deployment considerations.
The process is described below:
A private key is generated for the pxGrid client
A CSR (Certificate Signing Request) is generated from the private key. A challenge key is required which
will be used later on for keystore management
The CA Authority signs the CSR request with a valid pxGrid template as defined earlier
A PKCS#12 file will be created from the public/private key pair and root certificate. This will be used for
keystore creation of the keystoreFilename (JKS) and truststoreFilename (JKS)
The keystoreFilename (JKS) will be created
The truststoreFilename (JKS) will be created
Import the ISE identity certificate from the ISE MnT primary and ISE MnT secondary nodes used for active
session record or bulk download sessions.
Cisco Systems © 2015
Page 24
SECURE ACCESS HOW-TO GUIDES
Convert the ISE identity certificate PEM file to a DER format and add to the truststorefileName keystore along
with the CA root certificate
Import the pxGrid client certificate into the keystoreFilename (JKS)
Import the CA Root certificate into the tuststoreFilename (JKS)
Copy both files into the pxGrid “../samples/bin/.. “ folder and run the scripts
Step 1
Generate a private key
Generate a private key (i.e. mac.key) for the pxGrid client.
Note: this can be .key name can be any name, here I called it mac.key
openssl genrsa -out mac.key 4096
Generating RSA private key, 4096 bit long modulus
.............................................................................................................
.....................++
...............++
e is 65537 (0x10001)
Step 1
Generate the CSR request
Generate a CSR request (i.e. mac.csr) to the CA Authority. Provide a challenge password (i.e. cisco123)
Note: the .csr can be any name, here I called it mac.csr for uniformity, also the challenge password can be any name
openssl req -new -key mac.key -out mac.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:cisco123
An optional company name []:Eppich, Inc
the same password throughout this documnent, easier to maintain, and cut down on errors
Step 2
CA authority signs the pxGrid CSR request.
The CA authority must service the user certificate using a pxGrid template with both EKUs for client
authentication and server authentication.
Note: A CA template of Windows 2003 was selected, so it would appear in the Drop-down. A user template was duplicated with both EKUs for client
and server authentication.
Cisco Systems © 2015
Page 25
SECURE ACCESS HOW-TO GUIDES
Step 3
Create the PKCS12 file
Create a pxGrid client pkcs12 file (mac.p12) from the private key in the pxGrid client certificate (i.e.
mac.cer). This will be used for keystore management and can be a random filename with a .p12 extension.
Include the CA root file (i.e. root2a).
openssl pkcs12 -export -out mac.p12 -inkey mac.key -in mac.cer -chain -CAfile root2a.cer
Enter Export Password: cisco123
Verifying - Enter Export Password: cisco123
Step 4
Create the keystoreFilename for the pxGrid client
Create the pxGrid client identity keystore (i.e. mac.jks). This will be the pxGrid client identity keystore.
This can be a random filename with a .jks extension. This will serve as the keystoreFilename and
associated keystorePassword in the pxGrid script examples.
keytool -importkeystore -srckeystore mac.p12 -destkeystore mac.jks -srcstoretype PKCS12
Enter destination keystore password: cisco123
Re-enter new password: cisco123
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Step 5
Export the public ISE Identity certificate from the ISE MnT Primary and ISE MnT Secondary nodes
Export only the public ISE Identity certificate into the pxGrid client, note that this will be in .pem format.
You can rename the file with .pem extension to make it easier to read. In this example, the file was
renamed to mnt1.pem.
Note: Both ISE MnT Primary and ISE MnT Secondary nodes are required by the pxGrid client if pxGrid Active-Standby is configured
Cisco Systems © 2015
Page 26
SECURE ACCESS HOW-TO GUIDES
Step 6
Convert the ISE Identity MnT node PEM format to DER format
openssl x509 -outform der -in mnt1.pem -out mnt1.der
Step 7
Add the ISE MnT DER file to truststoreFilename
Add the ISE identity cert to the trust keystore (i.e. caroot1.jks). this will be the trusted keystore. This can
be a random filename with a .jks extension. This will become the truststoreFilename and
truststorePassword used in the pxGrid scripts.
keytool -import -alias isemnt -keystore caroot1.jks -file mnt1.der
Enter keystore password: cisco123
Re-enter new password: cisco123
Owner: CN=ise.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 61262d7600000000000d
Valid from: Wed Dec 10 16:39:24 EST 2014 until: Sat Dec 10 16:49:24 EST 2016
Certificate fingerprints:
MD5: 2B:3D:24:04:D3:FF:1F:1E:7E:57:8E:44:4A:AF:6D:51
SHA1: BD:18:C0:DD:4D:DD:43:80:CA:CA:3B:F6:DC:1E:6E:46:93:59:FE:B7
SHA256:
F9:11:FC:EC:BC:0F:0F:84:36:F1:26:BC:5A:09:B7:2B:3C:D1:1B:AC:FC:1A:F1:AB:6D:00:8D:11:F8:26:93:FF
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07
050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04
020...+.......0.
..+.......0...+.
......0...+.....
7...
#3: ObjectId: 1.3.6.1.4.1.311.21.7
0000: 30 2D 06 25 2B 06 01 04
01
0010: 87 CB EB 79 81 89 9D 2D
86
0020: 5E 86 D1 B8 23 85 FC EF
40
0-.%+.....7.....
...y...-...S...8
^...#...@..d...
Criticality=false
82 37 15 08 DC FD 1A
E6 FC 53 86 82 A1 38
02 01 64 02 01 03
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
Cisco Systems © 2015
Page 27
SECURE ACCESS HOW-TO GUIDES
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
Trust this certificate? [no]: yes
Certificate was added to keystroke
Step 8
Import the pxGrid client into keystoreFilename
Import the pxGrid client certificate into the identity keystore.
Johns-MacBook-Pro:pxGridsdk jeppich$ keytool -import -alias pxGridMAC -keystore mac.jks -file
mac.cer
Enter keystore password: cisco123
Certificate already exists in keystore under alias <1>
Do you still want to add it? [no]: yes
Certificate was added to keystore
Cisco Systems © 2015
Page 28
SECURE ACCESS HOW-TO GUIDES
Note: If you receive the following message the certficate was already added to a pre-existing keystore, you
can say “no” and still be okay. I selected “yes” so we can verify thay the certificate was added later on.
Step 9
Add the CA root certificate to the truststoreFilename
Add the CA root certificate to trusted keystore. The CA root certificate needs to be trusted as well.
keytool -import -alias ca_root1 -keystore caroot1.jks -file root2a.cer
Enter keystore password: cisco123
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 20:47:06 EST 2014 until: Wed Nov 13 20:57:06 EST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00
...
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
Trust this certificate? [no]: yes
Certificate was added to keystore
Step 10
Copy the identity keystore (mac.jks) and trust keystore (caroot1.jks) into the pxGrid “../samples/bin/..”
folder.
Cisco Systems © 2015
Page 29
SECURE ACCESS HOW-TO GUIDES
pxGrid client Active-Standby Examples
For pxGrid Active-Standby, you need to export both primary MnT and secondary MnT public certificates (PEM) to
pxGrid client and convert them both to DER. Both certificates need to be added to the truststoreFilename keystore
along with the CA Root certificate (root2a.cer)
Johns-Macbook-Pro:mntnodes jeppich$ openssl x509 -outform der -in mnt1.pem -out mnt1.der
Johns-Macbook-Pro:mntnodes jeppich$ keytool -import -alias lab1 -keystore caroot1.jks -file mnt1.der
Enter keystore password:
Re-enter new password:
Owner: CN=mnt1.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 61326a18000000000031
Valid from: Tue Jan 20 20:08:40 EST 2015 until: Fri Jan 20 20:18:40 EST 2017
Certificate fingerprints:
MD5: D7:EC:5C:10:37:8D:6A:64:4C:51:BE:0B:7E:46:A4:36
SHA1: 6A:CF:48:0D:55:34:41:AA:D8:68:2C:06:86:6E:85:1A:80:7A:8E:BE
SHA256:
66:7C:74:C3:D8:50:D0:09:A2:AA:60:5C:9D:97:09:D9:75:30:DD:3D:4B:56:47:77:91:47:84:DF:46:57:53:6F
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07
050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04
020...+.......0.
..+.......0...+.
......0...+.....
7...
#3: ObjectId: 1.3.6.1.4.1.311.21.7
0000: 30 2D 06 25 2B 06 01 04
01
0010: 87 CB EB 79 81 89 9D 2D
86
0020: 5E 86 D1 B8 23 85 FC EF
40
0-.%+.....7.....
...y...-...S...8
^...#...@..d...
Criticality=false
82 37 15 08 DC FD 1A
E6 FC 53 86 82 A1 38
02 01 64 02 01 03
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
Cisco Systems © 2015
Page 30
SECURE ACCESS HOW-TO GUIDES
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mnt1.lab6.com
]
#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
Trust this certificate? [no]: yes
Certificate was added to keystore
Johns-Macbook-Pro:mntnodes jeppich$ openssl x509 -outform der -in mnt2.pem -out mnt2.der
Johns-Macbook-Pro:mntnodes jeppich$ keytool -import -alias lab1 -keystore caroot1.jks -file mnt2.der
Enter keystore password:
keytool error: java.lang.Exception: Certificate not imported, alias <lab1> already exists
Johns-Macbook-Pro:mntnodes jeppich$ keytool -import -alias lab2 -keystore caroot1.jks -file mnt2.der
Enter keystore password:
Owner: CN=mnt2.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 613244ec000000000044
Valid from: Wed Mar 04 18:11:54 EST 2015 until: Fri Mar 03 18:11:54 EST 2017
Certificate fingerprints:
MD5: 1E:96:5E:35:A1:3E:FA:CD:16:32:A7:01:2C:5A:E6:12
SHA1: 8F:0D:8A:58:DD:80:82:D3:56:F1:CE:26:E4:A3:C3:3F:F8:F6:D1:28
SHA256:
3A:70:F0:E6:43:93:E8:10:11:C5:FE:61:24:66:A2:C8:2A:FA:AC:04:38:4A:B5:B6:20:2C:E6:3C:21:D5:45:C3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 12 00 57 00 65 00 62
00 53 00 65 00 72 00 76
0010: 00 65 00 72
...W.e.b.S.e.r.v
.e.r
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
Cisco Systems © 2015
Page 31
SECURE ACCESS HOW-TO GUIDES
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mnt2.lab6.com
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
Trust this certificate? [no]: yes
Certificate was added to keystore
Johns-Macbook-Pro:mntnodes jeppich$ keytool -list -v -keystore caroot1.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: lab2
Creation date: Mar 4, 2015
Entry type: trustedCertEntry
Owner: CN=mnt2.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 613244ec000000000044
Valid from: Wed Mar 04 18:11:54 EST 2015 until: Fri Mar 03 18:11:54 EST 2017
Certificate fingerprints:
MD5: 1E:96:5E:35:A1:3E:FA:CD:16:32:A7:01:2C:5A:E6:12
SHA1: 8F:0D:8A:58:DD:80:82:D3:56:F1:CE:26:E4:A3:C3:3F:F8:F6:D1:28
SHA256:
3A:70:F0:E6:43:93:E8:10:11:C5:FE:61:24:66:A2:C8:2A:FA:AC:04:38:4A:B5:B6:20:2C:E6:3C:21:D5:45:C3
Signature algorithm name: SHA256withRSA
Version: 3
Cisco Systems © 2015
Page 32
SECURE ACCESS HOW-TO GUIDES
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 12 00 57 00 65 00 62
00 53 00 65 00 72 00 76
0010: 00 65 00 72
...W.e.b.S.e.r.v
.e.r
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mnt2.lab6.com
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
*******************************************
*******************************************
Alias name: lab1
Creation date: Mar 4, 2015
Entry type: trustedCertEntry
Owner: CN=mnt1.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 61326a18000000000031
Cisco Systems © 2015
Page 33
SECURE ACCESS HOW-TO GUIDES
Valid from: Tue Jan 20 20:08:40 EST 2015 until: Fri Jan 20 20:18:40 EST 2017
Certificate fingerprints:
MD5: D7:EC:5C:10:37:8D:6A:64:4C:51:BE:0B:7E:46:A4:36
SHA1: 6A:CF:48:0D:55:34:41:AA:D8:68:2C:06:86:6E:85:1A:80:7A:8E:BE
SHA256:
66:7C:74:C3:D8:50:D0:09:A2:AA:60:5C:9D:97:09:D9:75:30:DD:3D:4B:56:47:77:91:47:84:DF:46:57:53:6F
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07
050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04
020...+.......0.
..+.......0...+.
......0...+.....
7...
#3: ObjectId: 1.3.6.1.4.1.311.21.7
0000: 30 2D 06 25 2B 06 01 04
01
0010: 87 CB EB 79 81 89 9D 2D
86
0020: 5E 86 D1 B8 23 85 FC EF
40
0-.%+.....7.....
...y...-...S...8
^...#...@..d...
Criticality=false
82 37 15 08 DC FD 1A
E6 FC 53 86 82 A1 38
02 01 64 02 01 03
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
Cisco Systems © 2015
Page 34
SECURE ACCESS HOW-TO GUIDES
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mnt1.lab6.com
]
#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
*******************************************
*******************************************
Johns-Macbook-Pro:mntnodes jeppich$ openssl x509 -outform der -in root2a.cer -out root2a.der
Johns-Macbook-Pro:mntnodes jeppich$ keytool -import -alias lab3 -keystore caroot1.jks -file root2a.der
Enter keystore password:
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 20:47:06 EST 2014 until: Wed Nov 13 20:57:06 EST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00
...
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
Trust this certificate? [no]: yes
Certificate was added to keystore
Cisco Systems © 2015
Page 35
SECURE ACCESS HOW-TO GUIDES
Testing pxGrid client in ISE Distributed Environment
The pxGrid scripts: register.sh and session download.sh will be run to ensure pxGrid client connection and pxGrid
registration. Session downloads will ensure that there are no issues with the ISE MNT certificate and the pxGrid
client.
Step 1
Register the pxGrid client
Johns-Macbook-Pro:bin jeppich$ ./register.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 -username mac1 -group Session
------- properties ------version=1.0.0
hostnames=10.0.0.48
username=mac1
descriptipon=null
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
connected.
done registering.
connection closed
Johns-Macbook-Pro:bin jeppich$
Verify the pxGrid client has registered to the pxGrid controller
Administration->pxGrid Services
Step 2
Run the Session download
Johns-Macbook-Pro:bin jeppich$ ./session_download.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 -username mac1
------- properties ------version=1.0.0
hostnames=10.0.0.48
username=mac1
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
filter=null
start=null
Cisco Systems © 2015
Page 36
SECURE ACCESS HOW-TO GUIDES
end=null
-------------------------connecting...
connected.
starting at Thu Mar 05 21:45:49 EST 2015...
session (ip=10.0.0.17, Audit Session Id=0A0000020000000D02D814C0, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:77:D6:85, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint
Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/23, RADIUSAVPairs=[ Acct-SessionId=00000004], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Mar 05 21:33:02 EST 2015
)
session (ip=null, Audit Session Id=0A0000020000000C0003672C, User Name=68:EF:BD:F6:76:56, AD User DNS
Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station
id=68:EF:BD:F6:76:56, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint Profile=CiscoDevice, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-Session-Id=00000005], Posture
Status=null, Posture Timestamp=, Session Last Update Time=Thu Mar 05 21:33:44 EST 2015 )... ending at: Thu
Mar 05 21:45:49 EST 2015
--------------------------------------------------downloaded 2 sessions in 35 milliseconds
--------------------------------------------------connection closed
Viewing Keystore Entries
By viewing the keystore entries you can view the trusted certificate entries for the keystoreFilename and
truststoreFilename keystores.
Step 1
Verify caroot1.jks, the truststoreFilename keystore
Johns-Macbook-Pro:bin jeppich$ keytool -list -v -keystore caroot1.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: lab3
Creation date: Mar 4, 2015
Entry type: trustedCertEntry
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 20:47:06 EST 2014 until: Wed Nov 13 20:57:06 EST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00
...
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
Cisco Systems © 2015
Page 37
SECURE ACCESS HOW-TO GUIDES
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
*******************************************
*******************************************
Alias name: lab2
Creation date: Mar 4, 2015
Entry type: trustedCertEntry
Owner: CN=mnt2.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 613244ec000000000044
Valid from: Wed Mar 04 18:11:54 EST 2015 until: Fri Mar 03 18:11:54 EST 2017
Certificate fingerprints:
MD5: 1E:96:5E:35:A1:3E:FA:CD:16:32:A7:01:2C:5A:E6:12
SHA1: 8F:0D:8A:58:DD:80:82:D3:56:F1:CE:26:E4:A3:C3:3F:F8:F6:D1:28
SHA256:
3A:70:F0:E6:43:93:E8:10:11:C5:FE:61:24:66:A2:C8:2A:FA:AC:04:38:4A:B5:B6:20:2C:E6:3C:21:D5:45:C3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 12 00 57 00 65 00 62
00 53 00 65 00 72 00 76
0010: 00 65 00 72
...W.e.b.S.e.r.v
.e.r
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
Cisco Systems © 2015
Page 38
SECURE ACCESS HOW-TO GUIDES
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mnt2.lab6.com
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
*******************************************
*******************************************
Alias name: lab1
Creation date: Mar 4, 2015
Entry type: trustedCertEntry
Owner: CN=mnt1.lab6.com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 61326a18000000000031
Valid from: Tue Jan 20 20:08:40 EST 2015 until: Fri Jan 20 20:18:40 EST 2017
Certificate fingerprints:
MD5: D7:EC:5C:10:37:8D:6A:64:4C:51:BE:0B:7E:46:A4:36
SHA1: 6A:CF:48:0D:55:34:41:AA:D8:68:2C:06:86:6E:85:1A:80:7A:8E:BE
SHA256:
66:7C:74:C3:D8:50:D0:09:A2:AA:60:5C:9D:97:09:D9:75:30:DD:3D:4B:56:47:77:91:47:84:DF:46:57:53:6F
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07
050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04
020...+.......0.
..+.......0...+.
......0...+.....
7...
#3: ObjectId: 1.3.6.1.4.1.311.21.7
0000: 30 2D 06 25 2B 06 01 04
01
0010: 87 CB EB 79 81 89 9D 2D
86
0020: 5E 86 D1 B8 23 85 FC EF
40
0-.%+.....7.....
...y...-...S...8
^...#...@..d...
Cisco Systems © 2015
Criticality=false
82 37 15 08 DC FD 1A
E6 FC 53 86 82 A1 38
02 01 64 02 01 03
Page 39
SECURE ACCESS HOW-TO GUIDES
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mnt1.lab6.com
]
#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 39 A3 EE 5E 6B 4B 0D
32 55 BF EF 95 60 18 90
0010: AF D8 07 09
]
]
.9..^kK.2U...`..
....
*******************************************
*******************************************
Johns-Macbook-Pro:bin jeppich$
Cisco Systems © 2015
Page 40
SECURE ACCESS HOW-TO GUIDES
Step 2
Verify mac.jks, the keystoreFilename keystore
Johns-Macbook-Pro:bin jeppich$ keytool -list -v -keystore mac.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: 1
Creation date: Jan 28, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 6118d613000000000034
Valid from: Wed Jan 28 14:35:54 EST 2015 until: Sat Jan 28 14:45:54 EST 2017
Certificate fingerprints:
MD5: 93:E4:D9:1B:00:5B:48:75:C1:9F:36:BC:B7:5C:27:73
SHA1: 33:79:37:44:81:EA:68:B8:EC:A3:26:75:18:70:AA:11:E4:58:B2:AF
SHA256:
DA:6C:BA:E3:E8:76:DD:8A:30:BA:EE:0B:46:3B:78:BF:F9:CE:B4:68:2C:5D:CE:8A:9D:FB:66:A8:1F:97:BE:4A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07
050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04
020...+.......0.
..+.......0...+.
......0...+.....
7...
#3: ObjectId: 1.3.6.1.4.1.311.21.7
0000: 30 2D 06 25 2B 06 01 04
01
0010: 87 CB EB 79 81 89 9D 2D
86
0020: 5E 86 D1 B8 23 85 FC EF
40
0-.%+.....7.....
...y...-...S...8
^...#...@..d...
Criticality=false
82 37 15 08 DC FD 1A
E6 FC 53 86 82 A1 38
02 01 64 02 01 03
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
Cisco Systems © 2015
Page 41
SECURE ACCESS HOW-TO GUIDES
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 81 52 81 84 98 22 43 85
5E 95 06 14 D2 5A A8 70
0010: 15 06 CF DB
]
]
.R..."C.^....Z.p
....
Certificate[2]:
Owner: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 448a6d6486c91cb14c6888c127d16c4e
Valid from: Thu Nov 13 20:47:06 EST 2014 until: Wed Nov 13 20:57:06 EST 2019
Certificate fingerprints:
MD5: 41:10:8A:F5:36:76:79:9C:2C:00:03:47:55:F8:CF:7B
SHA1: 9D:DA:06:AF:06:3F:8F:5E:84:C7:F4:58:50:95:03:22:64:48:96:9F
SHA256:
DB:28:50:D6:47:CA:C0:6A:E9:7B:87:B4:0E:9C:3A:C1:A2:61:EA:D1:29:8B:45:B4:76:4B:DA:2A:F1:D8:E0:A3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00
...
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
Cisco Systems © 2015
...&..7..Z.6&...
j.y,
Page 42
SECURE ACCESS HOW-TO GUIDES
]
*******************************************
*******************************************
Alias name: macstore
Creation date: Jan 28, 2015
Entry type: trustedCertEntry
Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Issuer: CN=lab6-WIN-BG7GPQ053ID-CA, DC=lab6, DC=com
Serial number: 6118d613000000000034
Valid from: Wed Jan 28 14:35:54 EST 2015 until: Sat Jan 28 14:45:54 EST 2017
Certificate fingerprints:
MD5: 93:E4:D9:1B:00:5B:48:75:C1:9F:36:BC:B7:5C:27:73
SHA1: 33:79:37:44:81:EA:68:B8:EC:A3:26:75:18:70:AA:11:E4:58:B2:AF
SHA256:
DA:6C:BA:E3:E8:76:DD:8A:30:BA:EE:0B:46:3B:78:BF:F9:CE:B4:68:2C:5D:CE:8A:9D:FB:66:A8:1F:97:BE:4A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 35 30 0E 06 08 2A 86
48 86 F7 0D 03 02 02 02
0010: 00 80 30 0E 06 08 2A 86
48 86 F7 0D 03 04 02 02
0020: 00 80 30 07 06 05 2B 0E
03 02 07 30 0A 06 08 2A
0030: 86 48 86 F7 0D 03 07
050...*.H.......
..0...*.H.......
..0...+....0...*
.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 32 30 0A 06 08 2B 06
01 05 05 07 03 01 30 0A
0010: 06 08 2B 06 01 05 05 07
03 02 30 0A 06 08 2B 06
0020: 01 05 05 07 03 04 30 0C
06 0A 2B 06 01 04 01 82
0030: 37 0A 03 04
020...+.......0.
..+.......0...+.
......0...+.....
7...
#3: ObjectId: 1.3.6.1.4.1.311.21.7
0000: 30 2D 06 25 2B 06 01 04
01
0010: 87 CB EB 79 81 89 9D 2D
86
0020: 5E 86 D1 B8 23 85 FC EF
40
0-.%+.....7.....
...y...-...S...8
^...#...@..d...
Criticality=false
82 37 15 08 DC FD 1A
E6 FC 53 86 82 A1 38
02 01 64 02 01 03
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=lab6-WIN-BG7GPQ053IDCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?cACertificate?base?objectCla
ss=certificationAuthority
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 C7 8E 26 9C F5 37 0A
E6 5A 15 36 26 D4 A2 06
0010: 6A C8 79 2C
]
]
...&..7..Z.6&...
j.y,
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=lab6-WIN-BG7GPQ053ID-CA,CN=WINBG7GPQ053ID,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab6,DC=com?certificateRevocati
onList?base?objectClass=cRLDistributionPoint]
]]
Cisco Systems © 2015
Page 43
SECURE ACCESS HOW-TO GUIDES
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#8: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
1.3.6.1.4.1.311.10.3.4
]
#9: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 81 52 81 84 98 22 43 85
5E 95 06 14 D2 5A A8 70
0010: 15 06 CF DB
]
]
.R..."C.^....Z.p
....
*******************************************
*******************************************
Johns-Macbook-Pro:bin jeppich$
Cisco Systems © 2015
Page 44
SECURE ACCESS HOW-TO GUIDES
ISE Distributed Deployment with pxGrid Active-Standby
Introduction
In this section, we cover pxGrid Active-Standby. In an ISE distributed deployment, there can be only (2) pxGrid
nodes. One handling the pxGrid client connections controlling the pxGrid services and the other one, for fail-over.
One pxGrid node can be active at a time.
The ISE Distributed Deployment with pxGrid Active-Standby consists of the Primary Admin node, Secondary Admin
node, Primary MnT node, Secondary MnT node, two PSNs, and two separate pxGrid personas.
We will add the Secondary Admin node, Secondary MnT node, and secondary pxGrid node to form the pxGrid ActiveStandby Configuration.
The public/private keys are exported from the first or primary pxGrid persona into the Primary Admin and Primary
MnT nodes System Certificates stores.
Note: This has already been configured as part of the initial ISE distributed deployment.
The public/private keys are exported from the second or secondary pxGrid persona into the Secondary Admin and
Secondary MnT nodes System Certificate stores.
The Primary and Secondary MnT Identity certificates are exported into the pxGrid client for bulk active session
downloads. If either of these certificates are missing, you may not see the pxGrid client register.
Registered client accounts, subscriptions, topics, etc. are Active-Active synchronized between pxGrid servers through
PANs . The primary and secondary pxGrid nodes are Active-Standby.
The pxGrid clients connect to the primary PxGrid node. If the primary pxGrid node goes down, the client connects to
the secondary pxGrid node and all registered clients and transactions will be there. This will be illustrated in this
document.
Cisco Systems © 2015
Page 45
SECURE ACCESS HOW-TO GUIDES
Registering ISE nodes for Distributed Environment pxGrid
Active-Standby
Here we register the secondary nodes.
Step 1
Import public/private key pair from the secondary pxGrid node into the secondary PAN.
Administration->System->Certificate->Certificate Management->System Certificates and import the
public/private key of the secondary pxGrid node
Note: This can be done when all nodes are in Stand-alone. This can also be done directly from the Primary PAN.
It is assumed that the public/private key pair from the secondary pxGrid node have been exported.
There is an alternative way for exporting the secondary pxGrid node public/private key pair into the
Secondary PAN and Secondary MnT node for pxGrid operation, please see: Alternative way of generating
pxGrid node Certificate Signing Request (CSR) in the Appendices.
Step 2
Import public/private key pair from the secondary pxGrid node into the secondary PAN.
Administration->System->Certificate->Certificate Management->System Certificates and import the
public/private key of the secondary pxGrid node
Cisco Systems © 2015
Page 46
SECURE ACCESS HOW-TO GUIDES
Step 3
You should the public/private key pairs have been successfully imported into the ISE Secondary PAN, and
ISE Secondary MnT nodes.
Administration->System->Certificates->Certificate Management->System Certificates
Step 4
Register the Secondary Primary admin node through Primary Admin Node
Administration->System->Deployment, register ISE node as the Secondary Admin node
Cisco Systems © 2015
Page 47
SECURE ACCESS HOW-TO GUIDES
Step 5
Register the Secondary Monitoring Node through the Primary Admin node
Administration->System->Deployment, register ISE node as the Secondary Monitoring node
Note: Ensure that the Secondary MnT has joined the domain, check External Identity Services, if the secondary MnT node has not joined the
domain, there will be no connectivity to the pxGrid node.
Cisco Systems © 2015
Page 48
SECURE ACCESS HOW-TO GUIDES
Step 6
Add the Secondary pxGrid node
Administration->System->Deployment, register ISE node as the Secondary pxGrid node
Step 7
Ensure that the pxGrid services have started, and you see the ISE published nodes:
Administration->pxGrid Services
Cisco Systems © 2015
Page 49
SECURE ACCESS HOW-TO GUIDES
Testing pxGrid client in ISE Distributed Environment pxGrid
Active-Standby
This section illustrates the pxGrid-Standby configuration by adding the Secondary PAN, Secondary MnT and
secondary pxGrid node. In addition we will test the configuration by:
Basic Operation:
Registering pxGrid client to primary pxGrid node
Note: In a pxGrid Active-Standby Configuration, only the primary pxGrid node can be active, the secondary pxGrid node is “not running” as
displayed by “sh application status ise” on the pxGrid secondary node
Download active session records from the MnT Primary node
View Registered pxGrid client status in ISE
View Deployment node status to indicate pxGrid node status
Testing pxGrid Node Failover to secondary pxGrid node
“application stop ise” on primary pxGrid node to simulated down pxGrid node
“application start ise” on secondary pxGrid node to start secondary pxGrid node
Download active sessions from MnT Primary node to compare sessions, they should be the same
Register pxGrid client to secondary pxGrid node
View Registered pxGrid client in ISE
View Deployment node status to indicate pxGrid node status
Returning back pxGrid primary node
application stop ise” on secondary pxGrid node
“application start ise” on primary pxGrid node
Download active sessions from MnT Primary node to compare sessions, they should be the same
Register pxGrid client to primary pxGrid node
View Registered pxGrid client in ISE
View Deployment node status to indicate pxGrid node status
Cisco Systems © 2015
Page 50
SECURE ACCESS HOW-TO GUIDES
Testing pxGrid Active-Standby
Basic Operation
Here we register the pxGrid client to the first pxGrid node or the primary pxGrid node while in the pxGrid Active
Standby configuration.
Basic Operation:
Registering pxGrid client to primary pxGrid node
Note: In a pxGrid Active-Standby Configuration, only the primary pxGrid node can be active, the secondary pxGrid node is “not running” as
displayed by “sh application status ise” on the pxGrid secondary node
Download active session records from the MnT Primary node
View Registered pxGrid client status in ISE
View Deployment node status to indicate pxGrid node status
The diagram below illustrates that all nodes are active
Step 1
Verify that all nodes are active
Administration->System->Deployment, you should see all the nodes
Cisco Systems © 2015
Page 51
SECURE ACCESS HOW-TO GUIDES
Step 2
Verify that pxGrid services up and the ISE Primary PAN, ISE Secondary PAN, ISE Primary MnT, and ISE
Secondary MnT node are registered clients.
Administration->pxGrid Services
Step 3
Register a pxGrid client and download the active session records using the pxGrid register and
session_download shell scripts. Note the IP address of the primary and secondary IP address of the pxGrid
nodes for –hostname.
Note: In a productional environment you may have a GUI that designates secondary pxGrid node.
Johns-Macbook-Pro:bin jeppich$ ./register.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 10.0.0.49 -username
mac_engineering15 -group Session
------- properties ------version=1.0.0
hostnames=10.0.0.48, 10.0.0.49
username=mac_engineering15
descriptipon=null
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
connected.
done registering.
connection closed
Johns-Macbook-Pro:bin jeppich$ ./session_download.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 10.0.0.49 -username
mac_engineering15
------- properties ------version=1.0.0
hostnames=10.0.0.48, 10.0.0.49
username=mac_engineering15
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
filter=null
start=null
end=null
-------------------------connecting...
connected.
starting at Thu Mar 05 00:54:43 EST 2015...
Cisco Systems © 2015
Page 52
SECURE ACCESS HOW-TO GUIDES
session (ip=10.0.0.17, Audit Session Id=0A0000020000000E027B9538, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:77:D6:85, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint
Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/23, RADIUSAVPairs=[ Acct-SessionId=00000006], Posture Status=null, Posture Timestamp=, Session Last Update Time=Wed Mar 04 20:06:47 EST 2015
)
session (ip=10.0.0.51, Audit Session Id=0A0000020000000C00035232, User Name=68:EF:BD:F6:76:56, AD User DNS
Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station
id=68:EF:BD:F6:76:56, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint Profile=CiscoDevice, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-Session-Id=00000004], Posture
Status=null, Posture Timestamp=, Session Last Update Time=Wed Mar 04 21:18:38 EST 2015 )... ending at: Thu
Mar 05 00:54:43 EST 2015
--------------------------------------------------downloaded 2 sessions in 12 milliseconds
---------------------------------------------------
Step 4
You should see the registered client, mac_engineering15
Administration->pxGrid Services
Cisco Systems © 2015
Page 53
SECURE ACCESS HOW-TO GUIDES
Testing FailOver
Testing pxGrid Node Failover to secondary pxGrid node
“application stop ise” on primary pxGrid node to simulated down pxGrid node
“application start ise” on secondary pxGrid node to start secondary pxGrid node
Download active sessions from MnT Primary node to compare sessions, they should be the same
Register pxGrid client to secondary pxGrid node
View Registered pxGrid client in ISE
View Deployment node status to indicate pxGrid node status
“application stop ise” on primary pxGrid node to simulated down pxGrid node
“application start ise” on secondary pxGrid node to start secondary pxGrid node
Download active sessions from MnT Primary node to compare sessions, they should be the same
Step 1
Verify that the primary pxGrid node or pxGrid 1 is down.
Administration->System->Deployment
Step 2
Run the register and session download commands to verify that you have connection the secondary pxGrid
node.
Cisco Systems © 2015
Page 54
SECURE ACCESS HOW-TO GUIDES
Johns-Macbook-Pro:bin jeppich$ ./session_download.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.49 -username mac_engineering15
------- properties ------version=1.0.0
hostnames=10.0.0.49
username=mac_engineering15
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
filter=null
start=null
end=null
-------------------------connecting...
connected.
starting at Thu Mar 05 01:32:40 EST 2015...
session (ip=10.0.0.17, Audit Session Id=0A0000020000000E027B9538, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:77:D6:85, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint
Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/23, RADIUSAVPairs=[ Acct-SessionId=00000006], Posture Status=null, Posture Timestamp=, Session Last Update Time=Wed Mar 04 20:06:47 EST 2015
)
session (ip=10.0.0.51, Audit Session Id=0A0000020000000C00035232, User Name=68:EF:BD:F6:76:56, AD User DNS
Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station
id=68:EF:BD:F6:76:56, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint Profile=CiscoDevice, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-Session-Id=00000004], Posture
Status=null, Posture Timestamp=, Session Last Update Time=Wed Mar 04 21:18:38 EST 2015 )... ending at: Thu
Mar 05 01:32:40 EST 2015
--------------------------------------------------downloaded 2 sessions in 12 milliseconds
--------------------------------------------------connection closed
Johns-Macbook-Pro:bin jeppich$
Step 3
Verify that pxGrid services up and you see the ISE published nodes.
Administration->pxGrid Services
Step 4
Register a pxGrid client and download the active session records using the pxGrid register and
session_download shell scripts while the primary pxGrid node is down.
Cisco Systems © 2015
Page 55
SECURE ACCESS HOW-TO GUIDES
Johns-Macbook-Pro:bin jeppich$ ./register.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.49 -username mac_engineering20 group Session
------- properties ------version=1.0.0
hostnames=10.0.0.49
username=mac_engineering20
descriptipon=null
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
connected.
done registering.
connection closed
Johns-Macbook-Pro:bin jeppich$
Step 5
Verify that you can see registered pxGrid client, mac_engineering20
Administration->pxGrid Services
Returning Back to Primary
Returning back pxGrid primary node
application stop ise” on secondary pxGrid node
Cisco Systems © 2015
Page 56
SECURE ACCESS HOW-TO GUIDES
“application start ise” on primary pxGrid node
Download active sessions from MnT Primary node to compare sessions, they should be the same
Register pxGrid client to primary pxGrid node
View Registered pxGrid client in ISE
View Deployment node status to indicate pxGrid node status
Step 1
Verify that the primary pxGrid node is back up
Administration->System->Deployment, you should see all the nodes
Step 2
Verify the pxGrid services are running and you see the ISE published nodes
Administration->pxGrid Services
Step 3
Verify that you still have connection be downloading the active sessions by running session_download
Dddd
Cisco Systems © 2015
Page 57
SECURE ACCESS HOW-TO GUIDES
Johns-Macbook-Pro:bin jeppich$ ./session_download.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 10.0.0.49 -username
mac_engineering15
------- properties ------version=1.0.0
hostnames=10.0.0.48, 10.0.0.49
username=mac_engineering15
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
filter=null
start=null
end=null
-------------------------connecting...
connected.
starting at Thu Mar 05 01:57:14 EST 2015...
session (ip=10.0.0.17, Audit Session Id=0A0000020000000E027B9538, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:77:D6:85, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint
Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/23, RADIUSAVPairs=[ Acct-SessionId=00000006], Posture Status=null, Posture Timestamp=, Session Last Update Time=Wed Mar 04 20:06:47 EST 2015
)
session (ip=10.0.0.51, Audit Session Id=0A0000020000000C00035232, User Name=68:EF:BD:F6:76:56, AD User DNS
Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station
id=68:EF:BD:F6:76:56, Session state= STARTED, Epsstatus=null, Security Group=null, Endpoint Profile=CiscoDevice, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/15, RADIUSAVPairs=[ Acct-Session-Id=00000004], Posture
Status=null, Posture Timestamp=, Session Last Update Time=Wed Mar 04 21:18:38 EST 2015 )... ending at: Thu
Mar 05 01:57:14 EST 2015
--------------------------------------------------downloaded 2 sessions in 12 milliseconds
--------------------------------------------------connection closed
Step 4
Register a pxGrid client to verify that all is working.
Johns-Macbook-Pro:bin jeppich$ ./register.sh -keystoreFilename mac.jks -keystorePassword cisco123 truststoreFilename caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 10.0.0.49 -username
mac_engineering50 -group Session
------- properties ------version=1.0.0
hostnames=10.0.0.48, 10.0.0.49
username=mac_engineering50
descriptipon=null
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
connected.
done registering.
connection closed
Step 5
View pxGrid client, mac_engineering50, on the ISE pxGrid controller
Administration->pxGrid Services
Cisco Systems © 2015
Page 58
SECURE ACCESS HOW-TO GUIDES
Cisco Systems © 2015
Page 59
SECURE ACCESS HOW-TO GUIDES
ISE Self-Signed Identity Certificates
The ISE Self-Signed Identity certificate for pxGrid may be used when no external CA Authority is available and for
testing pxGrid and ISE implementations without using the sample certificate from the pxGrid SDK. By default the
self-signed Identity Certificate contains both an Enhanced Key Usage (EKU) of Server Authentication
(1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2) and is located in the ISE System Certificates store.
pxGrid clients may use self-signed certs, please see: Using Self-Signed Certificates with pxGrid ISE node and pxGrid
clients
pxGrid clients may also use CA-signed certs, please see: Using Self-Signed Certificates with pxGrid ISE node and
CA-signed pxGrid clients
Step 1
Enable pxGrid usage in the ISE Self-Signed Identity Certificate
Administration->System->Certificates->System Certificates->Edit the ISE self-signed certificate and select
pxGrid and then Save
Cisco Systems © 2015
Page 60
SECURE ACCESS HOW-TO GUIDES
Step 2
Export the public ISE Identity Self-Signed certificate under Trusted Certificates.
Administration->System->Certificates->Edit the self-signed certificate and “Export Certificate Only”
Note: This will be saved as a PEM file
Step 3
Import the PEM file into the Trusted Certificate Store
Cisco Systems © 2015
Page 61
SECURE ACCESS HOW-TO GUIDES
Administration->System->Certificates->Trusted Certificates->select PEM certificate and enable “Trust for
authentication within ISE”, then submit
Step 4
Enable pxGrid persona
Administration->System->Deployment->Edit deployment node and enable pxGrid, then Save
Step 5
Start the pxGrid Services
Administration->pxGrid Services
Cisco Systems © 2015
Page 62
SECURE ACCESS HOW-TO GUIDES
Note: If you see no connectivity to pxGrid node, this may take some time to come up.
Cisco Systems © 2015
Page 63
SECURE ACCESS HOW-TO GUIDES
Sample Certificates from SDK
In this example, we use sample certificates from the pxGrid SDK, that will be used for POC only, and not in
productional environments. Here we import rootSample.crt for the trusted CA certificate and import iseSample1.crt
and iseSample1.key, which will server as the public/private pair for the pxGrid client for client registration. For more
detailed information on a POC deployment, sample Certificates and pxGrid sample shell scripts, please see:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-84Configure_and_Test_Integration_with_Cisco_pxGrid.pdf
Step 1
Import rootSample.crt into the Trusted System Certificates of ISE
Administration->System->Certificates->Trusted Certificate->import the rootSample.crt, then Submit
Step 2
Import iseSample1.crt and iseSample1.key into the System Certificate store of ISE
Administration->System->Certificates->System Certificates->Import and use cisco123 for the password,
then submit.
Step 3
Enable pxGrid persona
Cisco Systems © 2015
Page 64
SECURE ACCESS HOW-TO GUIDES
Administration->System->Deployment->Edit deployment node and enable pxGrid, then Save
Step 4
Start the pxGrid Services
Administration->pxGrid Services
Note: If you see no connectivity to pxGrid node, this may take some time to come up.
Testing pxGrid Client
Make sure you export the ISE Self-Signed Identity Certificate from the MnT node, or in the case of a Stand-Alone
deployment to the pxGrid client for Bulk Session downloads (Please see Bulk Session Downloads).
Cisco Systems © 2015
Page 65
SECURE ACCESS HOW-TO GUIDES
Here we check for client registration and session downloads
Step 1
Use the register.sh script and run the following:
./register.sh -keystoreFilename iseSample1.jks -keystorePassword cisco123 -truststoreFilename rootSample.jks
-truststorePassword cisco123 -group Session -username iseSample -hostname 10.0.0.39 -group Session
------- properties ------version=1.0.0
hostnames=10.0.0.39
username=iseSample
descriptipon=null
keystoreFilename=iseSample1.jks
keystorePassword=cisco123
truststoreFilename=rootSample.jks
truststorePassword=cisco123
-------------------------registering...
connecting...
connected.
done registering.
connection closed
Verify that pxGrid client iseSample shows up as a registered client under pxGrid Services
Cisco Systems © 2015
Page 66
SECURE ACCESS HOW-TO GUIDES
References
How-to-Configure and Test pxGridhttp://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-84Configure_and_Test_Integration_with_Cisco_pxGrid.pdf
Using Self-Signed Certificates with pxGrid ISE node and pxGrid clients
Using Self-Signed Certificates with pxGrid ISE node and CA-signed pxGrid clients
Using CA-Signed Certificates with pxGrid ISE node and pxGrid clients
Cisco Systems © 2015
Page 67
SECURE ACCESS HOW-TO GUIDES
Appendices
Alternative way of generating pxGrid node Certificate Signing Request (CSR)
Here is an alternative of way of generating pxGrid node CSR requests. The primary PAN will generate the primary
pxGrid CSR request for the primary PAN and primary MNT nodes for pxGrid operation. The primary PAN will also
generate the secondary pxGrid CSR request for the secondary PAN and secondary MNT nodes for pxGrid activestandby configuration,
This section describes an alternative for exporting the public/private key pair from the primary pxGrid node and
importing into the Primary PAN and the Primary MnT node for pxGrid operation.
Step 1
Administration->System->Certificates->Generate Certificate Signing Request (CSR) for “pxGrid” usage
for both the Prinary PAN and the Primary MnT nodes.
Provide the Common Name (CN) and (DNS) values, then->Generate
Step 2
You will be prompted to download a csrs.zip file containing the CSR requests for the Primary PAN and
Primary MnT nodes
Step 3
Copy/Paste the Primary PAN request into the Advanced Certificate Request pxGrid template and download
the certificate
Step 4
Bind the certificate to the pan#1pxGrid node
Cisco Systems © 2015
Page 68
SECURE ACCESS HOW-TO GUIDES
Step 5
Copy/Paste the Primary MnT request into the Advanced Certificate Request pxGrid template and download
the certificate
Step 6
Bind the certificate to the MnT#1pxGrid node
Step 7
Administration->System->Certificates->Generate Certificate Signing Request (CSR) for “pxGrid” usage
for both the Secondary PAN and the Seondary MnT nodes.
Provide the Common Name (CN) and (DNS) values, then->Generate
Step 8
You will be prompted to download a csrs.zip file containing the CSR requests for the Seondary PAN and
Secondary MnT nodes
Step 9
Copy/Paste the Primary PAN request into the Advanced Certificate Request pxGrid template and download
the certificate
Step 10
Bind the certificate to the pan#2pxGrid node
Step 11
Copy/Paste the Secondary MnT request into the Advanced Certificate Request pxGrid template and
download the certificate
Step 12
Bind the certificate to the MnT#2pxGrid node
Cisco Systems © 2015
Page 69
SECURE ACCESS HOW-TO GUIDES
Troubleshooting
This section provides information on troubleshooting.
Make sure the pxGrid client, pxGrid nodes and ISE are DNS resolvable if you see the following error message:
jeppich$ ./session_download.sh -keystoreFilename mac.jks -keystorePassword cisco123 -truststoreFilename
caroot1.jks -truststorePassword cisco123 -hostname 10.0.0.48 10.0.0.49 -username mac
------- properties ------version=1.0.0
hostnames=10.0.0.48, 10.0.0.49
username=mac
keystoreFilename=mac.jks
keystorePassword=cisco123
truststoreFilename=caroot1.jks
truststorePassword=cisco123
filter=null
start=null
end=null
-------------------------connecting...
connected.
19:27:48.224 [main] WARN o.a.cxf.phase.PhaseInterceptorChain - Interceptor for
{https://mnt1.lab6.com/pxgrid/mnt/sd}WebClient has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSende
rInterceptor.java:64) ~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:581) [cxf-rtfrontend-jaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:904) [cxf-rt-frontendjaxrs-2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:772) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:759) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:355) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at org.apache.cxf.jaxrs.client.WebClient.post(WebClient.java:381) [cxf-rt-frontend-jaxrs2.7.3.jar:2.7.3]
at com.cisco.pxgrid.stub.identity.impl.SessionIteratorImpl.open(SessionIteratorImpl.java:128)
[pxgrid-identity-client-stub-1.0.0.jar:1.0.0]
at com.cisco.pxgrid.samples.ise.SessionDownload.main(SessionDownload.java:132) [pxgrid-sdk1.0.0.jar:1.0.0]
Removing Java and Installing JDK 8.0 on Centos 6.5
Delete Old version of Java
Step 1 Ensure Centos 6.5 is up-to-date, type: yum update
Cisco Systems © 2015
Page 70
SECURE ACCESS HOW-TO GUIDES
Note: you may need root privileges, type: su root yum update
Step 2 Once updates are completes, remove any other installed JAVA packages by typing:
rpm -qa | grep -E '^open[jre|jdk]|j[re|dk]'
Note: there was the java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.i686 package already installed so I removed it by running)
Step 3 Type: yum remove java-1.6.0-openjdk
Install JDK 8.0
Step 1 Change to root user, type: su, you will be prompted for your password.
Step 2 Install JDK 8, type: rpm -Uvh jdk-8u20-linux-x64.rpm
Step 3 You will also need to run the alternatives commands:
alternatives --install /usr/bin/java java /usr/java/latest/jre/bin/java 200000
alternatives --install /usr/bin/javaws javaws /usr/java/latest/jre/bin/javaws 200000
alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64
/usr/java/latest/jre/lib/amd64/libnpjp2.so 200000
alternatives --install /usr/bin/javac javac /usr/java/latest/bin/javac 200000
alternatives --install /usr/bin/jar jar /usr/java/latest/bin/jar 200000
java –version
Check java version, type: java –version, you should see: java version “1.8.0_20”
Cisco Systems © 2015
Page 71
